       
                                                                       
                  -*-  General TRacer v1.84  -*-                  
                                                                     
              by                               
                                                 
                                                      
                           1997               
                                                                     
  ----
  Handle Real name         Age Profession Contact          Activity   
 ----
   Bugsy   Benjamin Petersen  24 Programmer _bugsy@usa.net   Coder, organizer
   Spawn   Michael Skovslund  23 Programmer _spawn@usa.net   Coder, gfx
   Icicle  Henrik Eiriksson   24 Study IFA  _icicle@usa.net  Music, art
   Hendrix Patrick Enoch      22 Study Math _hendrix@usa.net Coder, unpackers
 ----
                                                                       
      for questions about our group contact via e-mail:  _bugsy@usa.net  
                                                                         
       FREELY REGISTER YOUR COPY                                       
        AT ONE OF OUR HOMEPAGES :        HOME.T-ONLINE.DE/HOME/ENOCH    
          OR SEND AN E-MAIL TO :        _hendrix@usa.net              
  

                                   INDEX

  How to unpack COMs
    Unpacking
    Terminated to DOS
    Recognition of an unpacked COM
    Convert Dump to COM
  How to unpack EXEs
    Unpacking
    Terminated to DOS
    Unpacked?
    Recognition of an unpacked EXE
    Always make two Dumps
    Convert Dump to EXE


###############################################################################


 HOW TO UNPACK COMs
<==================>
note: some COMs are packed EXEs, so please have a look at the other chapter!

 Unpacking
quick unpacking:           get the /su-value from the list in OPTIONS.TXT!
         GTR /suX abc.com

watch the unpacking:
         GTR /suX /ru- /da+ abc.com

step through it:
         GTR /suX /ru- /da+ /tr+ abc.com

 Terminated to DOS
- You should save the dump, convert it to COM and see if it runs anyways!
- Decrease /su-value for less sensitivity! The Packer may not set up so many
  registers. Some packers set up only 3 registers!

 Recognition of an unpacked COM
- Must: CS=DS=ES=SS=PSP
- Must: SP is near FFFE
- Can : AX=BX=CX=DX=SI=DI=BP=0000 (see OPTIONS.TXT for any specific setups)
- Always have a look at the memory-dump!

 Convert Dump to COM
The utility DUMP2COM will help you extract the COM-file out of the dump.
Before executing the program, GTR filled all memory with $FF (255 decimal).
A common method it is to search for many $FFs in a row to determine which
memory the program did not use (maximum extend of the program).
DUMP2COM will copy all bytes to the COM-file until a lot of $FFs are found:

                 DUMP2COM 4000 255 abc.cod abcnew.com

This means when 4000 times 255s ($FF) in a row are found the program declares
this the end of valid code. Of course, if you choose a 'cut' value far
below 4000 it is possible that the program itself may contain some $FFs in a
row and the code will be cut on the middle of the program! I have also
experienced packers that fill the memory themselves with 0 to delete
themselves. You should hex-view the COM file if it is too big and choose
another filler-value.


###############################################################################


 HOW TO UNPACK EXEs
<==================>
note: some EXEs are packed COMs, so please have a look at the other chapter!

 Unpacking
quick unpacking:           get the /su-value from the list in OPTIONS.TXT!
         GTR /suX abc.exe

watch the unpacking:
         GTR /suX /ru- /da+ abc.exe

step through it:
         GTR /suX /ru- /da+ /tr+ abc.exe

 Terminated to DOS
- Decrease /su-value for less sensitivity! The Packer may not set up so many
  registers. Some packers set up only 3 registers!

 Unpacked?
The entrypoint-detector will ask you to save. Use different /su-values!
The less the value, the more Requesters, but also the better Chance to
have an unpacked EXE. Have a look at the registers! If a register is printed
in red: this indicates that the value of the register is not set up for
executing a fresh program. Especially when SS or DS is printed in red, you
can assume that no unpacked code is present.

 RECOGNITION OF AN UNPACKED EXE
- Must: DS=ES=PSP
- Must: CS and SS are in range (not printed in red)
- Can : SP has a 'round' value (eg. 200h or 1FEh, but not 124h)
- Can : AX=BX=CX=DX=SI=DI=BP=0000 (see OPTIONS.TXT for any specific setup)
- Always have a look at the memory-dump!

 ALWAYS MAKE TWO DUMPS
Rename the dump so it will not be overwritten by the next dump:

		Rename abc.EXD to abc.d1

Because GTR kept track of your actions, you can use the macro-file for
your next unpacking. Start GTR again with /mm+ (program will be higher in
memory, needful for computing the relocations) and /rm+ (Run Macro abc.EXC):

                GTR /suX ... /mm+ /rm+ abc.EXE

If the macro failed, unpack with the only the /mm+ option:

		GTR /suX ... /mm+ abc.EXE

Rename the dump and you will have the raw dumps abc.d1/2:

		Rename abc.EXD to abc.d2


 CONVERT DUMP TO EXE
          automatically:
Use STACKCUT on the two Dumps. Try the zero-Option first! If this does not
work, use without zero-Option. If the Dumps are cut too short, do not use this
Tool on the Dumps (then the stack is not at the end of the dump).

		STACKCUT abc.d1 abc.1 zero
		STACKCUT abc.d2 abc.2 zero

If STACKCUT fails, try using DUMPCUT:
This will look for an 10000 bytes big array of equal bytes and cut it there:

		DUMPCUT 10000 abc.d1 abc.1
		DUMPCUT 10000 abc.d2 abc.2

Use MAKEEXE to build new EXE (will look for the dumps abc.1 and abc.2):

		MAKEEXE abc.EXE abcnew.EXE

          by hand:
Use a HEX-Editor on the Dumps:
The Memory has been filled up with 0FFh, now it is your task to find (guess)
the end of the valid Code. Cut off the tailing 0FFh and make both Dumps
of equal length.

		COPY abc.d1 abc.1           (keep abc.d1 as backup!)
		HEXED abc.1
		COPY abc.d2 abc.2
		HEXED abc.2

Use MAKEEXE to build new EXE (will use abc.1 and abc.2):

		MAKEEXE abc.EXE abcnew.EXE

